How to restrict access to spaces based on Azure AD groups in Qlik Sense SaaS (Cloud)?
We have Qlik Sense SAAS and we have an Azure AD. We already connected the two of them and are logging in with our Microsoft account. Now we want to give and restrict access to spaces based on Azure AD groups. Is this possible in SAAS? And if yes, how?
Yes, this is possible as long as your tenant administrator has enabled groups, you can also add groups of users to your space. For more details see the articles here:
You can do this if you set up your IdP to bring in groups and have QS SaaS recognise them. In QS Management Console you need to go to Settings and enable group creation.
However it's worth noting there are limitations to this -
1. Groups won't be seen by QS SaaS until someone in the group logs in.
2. Membership of a group will be evaluated at each login - no group membership is stored outside of the individual user session.
3. Users given access via a group won't be able to be added to Notes and some other features.
The only thing it doesn't cover I think is that in QS Management Console you need to go to Settings and enable group creation.
This is mostly because QS SaaS doesn't have a mechanism to track what groups a user is in except during an active session. Since it doesn't know who is in a group, it can't see if they should be able to be referenced in a Note or other things.
Yes, this is possible as long as your tenant administrator has enabled groups, you can also add groups of users to your space. For more details see the articles here:
But this is what a user can do and can see within a space. You still need to assign a user and userroles to the space. I want to make a rule, if user is from the finance department, you can see the space Finance. Like what you can do with security rules on premise. Do you know if that is possible?
You can do this if you set up your IdP to bring in groups and have QS SaaS recognise them. In QS Management Console you need to go to Settings and enable group creation.
However it's worth noting there are limitations to this -
1. Groups won't be seen by QS SaaS until someone in the group logs in.
2. Membership of a group will be evaluated at each login - no group membership is stored outside of the individual user session.
3. Users given access via a group won't be able to be added to Notes and some other features.
The only thing it doesn't cover I think is that in QS Management Console you need to go to Settings and enable group creation.
This is mostly because QS SaaS doesn't have a mechanism to track what groups a user is in except during an active session. Since it doesn't know who is in a group, it can't see if they should be able to be referenced in a Note or other things.
